APAAR ID Explained: What Every Parent Should Know

Tl;dr

Read a detailed explainer and actionable steps for students and parents on the APAAR ID. Understand how your child’s data is handled and what steps you need to take to ensure their privacy and security.

What is the APAAR ID? 

On July 29, 2023, the Automated Permanent Academic Account Registry [“APAAR ID”] was introduced by the Ministry of Education [“MoE”] through a panel discussion on the implementation of the National Education Policy, 2020. It falls under the ‘One Student, One Unique ID’ initiative and aims to assign students unique IDs linked to their Aadhaar numbers. These IDs would track lifelong educational records.

The enrollment process started in October 2023, with MoE urging state chief secretaries to have schools help students create APAAR IDs. Parental consent was required for students under 18, prompting schools to hold special parent-teacher meetings for approval. Also, reports have emerged that it is being coercively imposed on students despite parental concerns and without any opt-out mechanism. 

Why is it bad?

The APAAR ID system presents significant risks, especially in the collection and handling of minors' sensitive data, including personal and academic information, without adequate legal safeguards or robust data protection measures. Moreover, the APAAR ID framework is a unified, interoperable system that links student IDs with Digilocker and Academic Bank of Credits [“ABC”] accounts, allowing ministries and other entities to access student data. With the Digital Personal Data Protection Act, 2023 [“Data Protection Act, 2023”] still not in effect, students’ data remains highly vulnerable to misuse, breaches, and unauthorised access. 

The government’s aggressive push for 100% integration of the academic records by 2026-27 has raised concerns. The system is being advanced without the necessary mechanisms to secure data or ensure transparency in its usage. The APAAR ID Terms of Use and Privacy Policy provide only vague details. They fail to adequately address data protection, which further raises alarms about potential exploitation. We will explore these issues in more detail in this blog.

We have previously discussed our concerns with APAAR ID in more detail here.

What is voluntary anyway?

The APAAR ID framework, though officially marketed as voluntary as per the “Important Information” document on their website, has effectively become mandatory, much like the Aadhaar. 

On October 11, 2023, the MoE issued a directive urging schools to adopt APAAR ID and providing detailed guidance on implementation. However, the directive never mentioned getting consent.

In reality, although many schools have made it completely voluntary, many parents report that they are not given the choice to refuse consent. Instead, schools are pushing parents to agree by holding "special parent-teacher meetings" to try to convince them to create an APAAR ID for their child. This is particularly worrying in rural areas, where a lack of tech knowledge could lead to parents agreeing without fully understanding the situation. Moreover, many rural students who do not have Aadhaar cards may be excluded from the system, which goes against a Supreme Court ruling in Justice (Retd.) K.S. Puttaswamy v. Union of India [2019 (1) SCC 1, paras 382, 391.3] which stated that Aadhaar cannot be a requirement for accessing basic education.

In fact, as per Section 6(1) of the Data Protection Act, 2023,  consent has to be free, specific, informed, unconditional, and unambiguous with clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

While the system is supposed to be optional, students, schools, teachers, and parents are increasingly pressured to comply, creating an environment where refusal could inadvertently lead to exclusion or difficulty in accessing education. 

Consent Form: What’s really happening here?

Schools require parental consent to enroll students into the registry as the students are minors. As part of this, parents are required to sign the Consent Form which allows for the sharing of the student’s Aadhaar number and other demographic information issued by UIDAl (the government agency responsible for issuing Aadhaar numbers) with the MoE for the sole purpose of creating an APAAR ID.

The circular says that consent can be withdrawn, and the processing of shared information will stop. However, it also states that this does not apply to information that has already been processed. In other words, any personal data that has already been processed will not be affected if consent is withdrawn. 

IFF has already highlighted the key issues surrounding the APAAR ID and its effectively mandatory nature and subsequent to it a Terms of Use and Privacy Policy has been published. Do these documents offer any additional safeguards? 

What data is collected?

APAAR ID collects a wide range of personal information according to its Terms of Use [Clause 15] and Privacy Policy [Clause 1]. When registering, users may provide details like their name, date of birth, gender, and contact information. It also collects educational records, such as marksheets, transcripts, and certificates, either from the users or their educational institutions.

Users are also required to link their Aadhaar number to the APAAR ID account. This allows APAAR ID to use the Aadhaar number for authentication. Additionally, APAAR ID is connected to DigiLocker, which can access eKYC data.

How is your data processed/used?

APAAR ID Privacy Policy [Clause 2] claims that the information is collected to manage user accounts, provide access to APAAR ID, and facilitate the storage and retrieval of academic records. Information is also used to communicate important updates, announcements, and notifications related to APAAR ID. 

However, most notably, the aggregated and anonymised data, i.e. data without personal information, may be employed for research, statistical analysis, and the enhancement of educational services. Here’s the thing — this is very vague. While it sounds well-meaning, the lack of clarity raises questions, and also risks of denanonymisation exist. 

How long is the data collected retained?

As per the Privacy Policy [Clause 5], data will be retained as long as your APAAR account remains active or until you request its deletion. However, APAAR ID and its integrated services may retain certain personal data or records related to data processing for legal, compliance, and log maintenance purposes.

Our concerns

• Collection Limitation: The Privacy Policy raises concerns about collecting too much data without clear reasons. The types of sensitive data collected are not directly tied to specific needs, which goes against the principle of only collecting what is necessary.
• Purpose Limitation: The Privacy Policy says data will be used to manage accounts, provide access, and store academic records. However, it also mentions the data may be used for research and improving education, without clearly explaining how. This lack of detail makes it hard for users to understand how their data might be used, raising concerns about misuse.
• Storage Limitation: While the Privacy Policy says data will be kept as long as the APAAR ID is active or until the user asks for it to be deleted, the consent form states that the ID lasts for life. It also mentions keeping data for "legal and compliance" reasons but does not explain how long data will be kept after an account is deleted. Furthermore, neither the Privacy Policy nor the Consent Form provides a clear process for users to withdraw consent or delete their data.

What can students and parents do?

If you are a parent reading this, it is essential to stay informed and protect your child's rights in the digital age. Here is what you can do:

• Know your rights: Understanding your rights is the first step in navigating the APAAR ID system and protecting your child’s privacy. 
  • The Supreme Court in the case of Justice (Retd.) K.S. Puttaswamy v. Union of India [2019 (1) SCC 1, para 511.13.3] clarified that educational institutions, including those that conduct exams like CBSE, NEET, and JEE, cannot require Aadhaar numbers for basic rights under the Right to Education Act. This means schools cannot require Aadhaar for admissions or board exams, making the APAAR ID similarly non-compulsory for your child’s education. 
  • The Supreme Court ruling further emphasised that children's data requires additional safeguards, recognising it as sensitive and necessitating stronger protections. 
  • Complementing this, Section 9(1) of the Data Protection Act, 2023, requires parental consent before processing any data related to children. 
  • Additionally, Section 6(4) of the Data Protection Act, 2023 allows parents to withdraw consent at any time, with the process required to be as simple as granting consent initially. While the Data Protection Act, 2023, has not yet come into effect, its principles—such as explicit consent requirements and enhanced data protection measures for children—are widely acknowledged as essential for safeguarding children’s privacy rights. 
• Form parent collectives: It is important to stay connected with other parents who may have the same concerns. Consider joining parent groups or attending school meetings where you can discuss your questions and concerns. Collective action and informed discussion can ensure that your voices are heard, especially if there are widespread concerns about APAAR ID.
• Ask questions: The lack of transparency around APAAR ID’s data collection and usage is one of the biggest concerns. Here are some key questions you should ask:
  • What will happen if I deny consent for my child to be enrolled in APAAR ID? Will my child be excluded from school or face any other repercussions? Is there an alternative to APAAR for students who do not participate?
  • What is the process for giving consent? How do I know exactly what data is being collected, and for what purposes? Is the consent process clear and voluntary?
  • How can I withdraw my consent later? What steps should I follow to withdraw consent for my child’s APAAR ID? How easy is it to do so, and will any data continue to be stored after I withdraw my consent?
  • What happens to my child's data if I withdraw consent? If I withdraw consent, will my child's data be deleted? How long will it be retained, and will any of the information already collected be used for other purposes?

In case you would like to send a letter to your child’s school, we have drafted a template letter for you. 

• Grievance Redressal: The APAAR ID Privacy Policy includes a grievance redressal system for addressing issues related to personal data. While the full grievance procedure is not fully outlined, it provides an option for users to raise concerns. This ensures accountability and offers a formal process for resolving data-related issues under the Data Protection Act, 2023. 

• Reach out to IFF: If you have concerns about the APAAR ID framework or your child's rights, reach out to us. We offer legal guidance on data protection, consent, and privacy, helping you address issues like consent withdrawal, data collection, or pressure from schools. We are here to ensure your rights are respected and provide the support you need. We have already filed RTIs with CBSE and the state education departments of a few states, let us know if you would like our help to file RTIs with your concerned state education authorities! Email us at [email protected]. 

Important documents 

1. APAAR ID Privacy Policy [Link]
2. APAAR ID Terms of Use [Link]
3. Consent Form for parents [Link]
4. APAAR ID notification [Link]
5. APAAR ID “Important Information” document [Link]
6. IFF Blog titled “Aadhaar-based student ID raises alarm for privacy” [Link]